HIPAA-Compliant Cloud Storage: What You Need to Know

Pointers for storing PHI in the cloud

  • If you’re storing medical records in the cloud, you need to ensure you’re safeguarding patients’ protected health information — PHI — in order to remain HIPAA-compliant.
  • You’ll also have to keep Security Rule, Privacy Rule, and Breach Notification Rule considerations in mind.
cloud server room

Are you considering transitioning from hard copy medical records to EMRs? If so, you might be thinking of using the cloud to store all the data. But just like with hard copy patient files, you need to protect electronic PHI according to HIPAA regulations. Here’s a broad overview of what you need to know.

What Is Cloud Computing?

According to PCMag, cloud computing involves accessing and storing programs and data over the internet.

Many applications — for example, Microsoft Office — that once used to be installed on users’ hard drives are now instantly accessible in the cloud. This means that all the computing that used to take place on users’ hard drives is now performed on the internet. Similarly, cloud storage involves sending data over the internet to an offsite data center to store it on servers.

Cloud computing offers many benefits because it:

  • Is scalable and accessible from anywhere with an internet connection.
  • Promotes business continuity because there are fewer operational issues.
  • Requires less capital, since you don’t have to invest in a lot of hardware and software.
  • Reduces your carbon footprint.
  • Enables contactless medical record fulfillment, because you can handle all release of information requests virtually.
  • Is highly secure, because it’s far more challenging to physically access remote servers.

For users, leveraging the cloud involves using a web-based interface to send, store, manage, and receive data. Think of the dashboard you see when you use Google’s G Suite — it allows you to go to Drive, Docs, Sheets, Calendar, and so on.

Can PHI Be Stored in the Cloud?

Yes, you can store electronic protected health information in the cloud, as long as you use HIPAA-compliant cloud storage. So what does that involve?

In practice, it means your cloud service provider must enter into a business associate agreement — BAA — with you to ensure it complies with HIPAA regulations. The reason for this is that the provider can technically access all of the data in its cloud — and you’re responsible for protecting that data.

As HIPAA Journal explains, you and the service provider must implement all necessary measures to safeguard the integrity, confidentiality, and availability of the PHI. This involves putting controls in place to transmit, store, and manage the data securely. In addition, all activity — including failed and successful access attempts — must be recorded in a log.

Choosing a HIPAA-Compliant Cloud

According to the Department of Health and Human Services, it’s critical to understand the specific cloud computing solution the service provider is offering. That way, you can conduct a thorough risk analysis, establish risk management policies, and enter into an appropriate BAA.

The BAA should outline the required and permitted uses of the PHI based on the business relationship between you and the service provider.

Considerations Regarding the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule

There are some important considerations to keep in mind. For example, you might retain responsibility for authenticating access to the PHI. Under the Security Rule, the service provider might still have to establish internal controls and security features to limit access to its administrative tools.

In addition, the service provider must remain in compliance with the Privacy Rule when it comes to disclosing and using PHI. For instance, it can’t block or restrict your access to the PHI. At the same time, it must ensure you can always provide individuals with access to their medical records.

Because the service provider is a business associate, it must also comply with the Breach Notification Rule. Specifically, it must notify you of breaches of unsecured PHI. That’s PHI that hasn’t been destroyed or doesn’t meet the HHS’ guidelines for encryption. It also has to notify you of any breaches of adequately encrypted PHI, along with the encryption key.

Select a Service Provider With Proven Experience in HIPAA-Compliant Cloud Storage

Using the cloud to store PHI offers many benefits for healthcare businesses. Nevertheless, selecting a cloud service provider and entering into a BAA involves research and the establishment of clear contractual terms. For this reason, it’s always wise to select a service provider with proven experience in HIPAA-compliant cloud storage.

See Our Health Information Exchange Software in Action!